Strapi Private Field Access Vulnerability via Unvalidated Lookup Parameter

A vulnerability in Strapi's document service allows unauthorized access to private fields, including admin passwords and reset tokens, in versions 5.0.0 prior to 5.5.2. The issue arises because the lookup operator in the document service does not properly sanitize query parameters for private fields. This vulnerability can be exploited by crafting specific queries that manipulate the lookup parameter to access sensitive information.

Impact

Exploitation of this vulnerability allows attackers to access private fields through filtering, including admin passwords and reset tokens, potentially leading to full access on the Strapi instance.

Reproduction

To reproduce this vulnerability, create a Strapi application and a content type. After adding a new entry in the content type, return to the list view. Append a crafted lookup parameter to the URL that targets private fields, such as passwords. The response will confirm the successful access to the private data, demonstrating the vulnerability.

Remediation

Users can upgrade to Strapi version 5.5.2 or later to address this vulnerability.